From 1c9db1d1f14d5f83d8bd7dbbd535cf109680471f Mon Sep 17 00:00:00 2001 From: Lukas Fleischer Date: Thu, 11 Aug 2011 17:35:03 +0200 Subject: Add a configuration setting to disallow HTTP login If this is enabled, do not show the login form and display a note suggesting to switch to a secure connection if a user accesses the site via HTTP. Signed-off-by: Lukas Fleischer --- web/lib/aur.inc.php | 7 +++++-- web/lib/config.inc.php.proto | 3 +++ web/template/login_form.php | 10 +++++++++- 3 files changed, 17 insertions(+), 3 deletions(-) diff --git a/web/lib/aur.inc.php b/web/lib/aur.inc.php index 0927604a..474ebeed 100644 --- a/web/lib/aur.inc.php +++ b/web/lib/aur.inc.php @@ -326,9 +326,12 @@ function html_header($title="") { global $_POST; global $LANG; global $SUPPORTED_LANGS; + global $DISABLE_HTTP_LOGIN; - $login = try_login(); - $login_error = $login['error']; + if (!$DISABLE_HTTP_LOGIN || (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'])) { + $login = try_login(); + $login_error = $login['error']; + } $title = htmlspecialchars($title, ENT_QUOTES); diff --git a/web/lib/config.inc.php.proto b/web/lib/config.inc.php.proto index f710844d..0f672abe 100644 --- a/web/lib/config.inc.php.proto +++ b/web/lib/config.inc.php.proto @@ -71,3 +71,6 @@ $PERSISTENT_COOKIE_TIMEOUT = 60 * 60 * 24 * 30; # please ensure "upload_max_filesize" is additionally set to no more than 3M, # otherwise this check might be easy to bypass (FS#22991 for details) $MAX_FILESIZE_UNCOMPRESSED = 1024 * 1024 * 8; + +# Allow HTTPs logins only +$DISABLE_HTTP_LOGIN = true; diff --git a/web/template/login_form.php b/web/template/login_form.php index ca81e0e7..b351a27e 100644 --- a/web/template/login_form.php +++ b/web/template/login_form.php @@ -6,7 +6,7 @@ if (isset($_COOKIE["AURSID"])) { [] " . $login_error . "
\n"; } @@ -26,5 +26,13 @@ else { [] + + + + https://aur.archlinux.org/ + -- cgit v1.2.3-24-g4f1b